Akeyless SCP
Akeyless SCP enables secure copy via Secure Remote Access Bastion.
Note:
Akeyless SCP currently supports only UNIX-like OS.
Prerequisite
-
Akeyless Secure Remote Access Bastion.
-
OpenSSH V7.3 or higher on target servers.
Usage
- Download Akeyless SCP script:
curl -o akeyless-scp https://download.akeyless.io/Akeyless_Artifacts/Linux/SSH/akeyless-scp
chmod +x akeyless-scp
mv akeyless-scp /usr/local/bin
- Create your ~/.akeyless-sphere.rc :
# ---------------------------------------------------------------------
# Copyright © 2021 Akeyless Security LTD.
#
# All rights reserved
# ----------------------------------------------------------------------
#
# This file is a user-specific configuration file for akeyless-sphere Zero Trust Access
# it should be located in user home directory named .akeyless-sphere.rc
#
# identity_file - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)
identity_file=""
# cert_issuer_name - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session
cert_issuer_name=""
# profile - Akeyless CLI profile to be used
profile="default"
# Akeyless CLI binary (if needed)
AKEYLESS_CLI=akeyless
# AKEYLESS_API_GW - URL for Akeyless API Gateway (RestAPI)
AKEYLESS_API_GW=""
# Following are used for control service, to configure the temporary session:
# ${BASTION_API_PROTO_}://"${BASTION_API_PREFIX_}${JB_SRV_}${BASTION_API_PATH_}":"${BASTION_API_PORT_}
#
BASTION_API_PREFIX_=""
BASTION_API_PATH_=""
BASTION_API_PROTO_=http
BASTION_API_PORT_=9900
# Allow caching of temp session creds
SESSION_CACHING=no
# Display connection stages
DISPLAY_STAGES=yes
The latest version of this file can be found in Akeyless official artifacts.
Set the following settings as follow:
CERT_ISSUER_NAME
- Full path to the Akeyless SSH Certificates Issuer item.
AKEYLESS_PROFILE
- Set the default profile that will be used from your Akeyless Command Line Interface (CLI). By default, it's using the default
profile of your Akeyless CLI.
AKEYLESS_GW_REST_API
- Set your Akeyless Gateway URL on port 8080
for Zero-Knowledge items and for internal network access.
BASTION_API_PROTO
- Default is http
. Set to https
when your Secure Remote Access Bastion is configured with TLS.
BASTION_API_PORT
- Default is set to 9900
. Set your matching ssh-sra
cluster service port.
BASTION_SSH_PORT
- Default is set to 22
. Set your matching ssh-sra
cluster service port.
Optional when working with Load Balancers, you can set the exact FQDN of your ssh-sra
service, which listens to the bastion api
control port:
BASTION_API_PREFIX
- Set your FQDN prefix as your load balancer settings.
BASTION_API_PATH
- Set your FQDN path as your load balancer settings.
Where the URL will be set as follow:
${BASTION_API_PROTO}://"${BASTION_API_PREFIX}${BASTION_HOST}${BASTION_API_PATH}":"${BASTION_API_PORT}
- Use akeyless-SCP command to perform secure copy to remote target server via Akeyless Secure Remote Access Bastion:
Full options list:
Usage: /usr/local/bin/akeyless-scp <[email protected][:port]> via <bastion-server[:port]> [options]
optional arguments:
--cert-issuer-name Akeyless certificate issuer name [mandatory]
--local-file File to copy [mandatory]
--remote-file File to copy [default is '~/']
--direction upload/download [default is 'upload']
--profile Use a specific profile from your Akeyless CLI
-i Selects a file from which the identity (private key) for public key authentication is read [default is '~/.ssh/id_rsa']
--ssh-extra-args Use to add offical SSH arguments (except -i)
For example, this command will start to copy a local file, to a remote server.
akeyless-scp [email protected] via <sra-bastion-ssh-service> --local-file /full/local/location/file --remote-file /remote/location/file
Working With SSH Keys
When the remote host doesn’t support SSH Certificates, you can still work with Akeyless SCP utilizing SSH Keys where the relevant private key is stored as a Static Secret within Akeyless, where the connection from the client to the Akeyless Bastion is established over short-lived SSH certificate, and from the Akeyless Bastion, the connection is established over SSH using keys, for example:
akeyless-scp <username>@<target-host> via <sra-bastion-ssh-service> --local-file demo_file --remote-file /home/ubuntu/demo_file --name "/path/to/static-secret-of-ssh_private_key"
The --name
should point to a static secret in Akeyless holding the SSH private key. Users should have only list
permission on this item, while the Bastion should have read
permission.
In that case, a tunnel will be established, and the Akeyless Bastions will fetch the key and allow the client to use it without exposing it to them.
Updated 3 months ago